I'm working on a centralized logging solution using the ELK stack and Kafka.
I'm running Ubuntu Xenial on all the machines, and I'm using Rsyslog with omkafka to write all log messages to a kafka topic. The pipeline is:
+-----------+ +-----------+ +--------------+ +-------------------+
| | | | | | | |
| Rsyslog +------> Kafka +------> Logstash +--------> Elasticsearch |
| (omkafka) | | | | | | |
| | +-----------+ +--------------+ +-------------------+
+-----------+
Since I now have this solution in place I've turned the verbosity up on most logging to have the biggest amount of info available.
This, however, has exposed a big pain point: /var/log/syslog is growing at a rate where the daily logrotate will not work, the disks fill in ~4 hours. Since I don't exactly need the file contents, I was thinking about disabling logging to that file altogether. I've been searching through the Rsyslog docs and can't find any info on this.
How do I disable file logging in this case?
The other alternative, that I wanted to avoid, is to turn the logrotate frequency up to hourly.
Thanks
1 Answer 1
Probably all you need is to comment out following (or similar) line in your /etc/rsyslog.conf:
syslog.* /var/log/syslog
Or reduce it to some more limiting level, like warn or err:
syslog.err /var/log/syslog
For complete list of priority keywords consult the 'man rsyslog.conf'.
-
1I'm going to try that out then. For reference the file under Xenial is /etc/rsyslog.d/50-default.confJohn Blackberry– John Blackberry2017年10月16日 14:38:04 +00:00Commented Oct 16, 2017 at 14:38
-
1Tested, works :)John Blackberry– John Blackberry2017年10月16日 15:15:44 +00:00Commented Oct 16, 2017 at 15:15